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Driving Forces of the Attack Evolution 
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Dynamics of Driving Factors 
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1994: Mitnick's , SYN Flood DoS 
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many SYNs from foreign IP 130.92.6.97 


spoofed SYN with IP no ACKs 
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1994: Mitnick's , SYN Flood DoS 


QD SYN+ACK for 
IP server.login 


x-terminal.shell (Shimomura) 


server.login (Shimomura) 


SYN+ACK... 
retransmit... 


spoofed SYN with IP server.login 
and guessed SeqNo 
RCE 


I WES 


apollo.it.luc.edu (Mitnick) 


Credit: Icons made from http://www.onlinewebfonts.com/icon is licensed by CC BY 3.0 


1996-2010: Occurrence and Development 
of Basic Methods 
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1996: PANIX SYN Flood 


(Posted by Alexis Rosen) Sat, Sep 07 1996 -- 1:23 AM 


Friday evening, starting at around 5:45, all of Panix's main mail 
hosts were attacked from a site somewhere on the internet. I have been 
trying to deal with this problem ever since, and the attack is still 
happening at this time. 


This is probably the most deadly type of denial-of-service attack 
possible. 


(Posted by Alexis Rosen) Sun, Sep 08 1996 -- 6:58 AM 
Late Saturday evening, my temporary low-grade routing hack to protect 

our mail service was overcome and our mail servers were again inoperable 
due to the "SYN flood" attack. 


(Posted by Alexis Rosen) Mon, Sep 09 1996 -- 11:43 AM 
We are now being attacked on our telnet ports. This means that people 

can't reach panix1, panix2, or panix3 from the internet. Our router is 

also being attacked. Our web server's web port is being attacked too. 


1996: PANIX SYN Flood 


(Posted by Alexis Rosen) Sat, Sep 07 1996 -- 1:23 AM 


| Panix's main mail 
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(Posted by Alexis 


Late Saturday even 


gur mail service v New York's Panix Service 
due to the "SYN " e 
Is Crippled by Hacker Attack 


Mon, Sep 09 1996 -- 11:43 AM 


By ROBERT E. CALEM This means that people 
can't reach panix1, panix2, or panix3 from the internet. Our router is 
also being attacked. Our web server's web port is being attacked too. 


Source: New York Times 


1996: PANIX SYN Flood - Reaction 


«20pps is enough to keep the SYN queue full» Internet Protocols for Network- 
Attached Peripherals Steve Hotz, Rodney Van Meter, and Gregory Finn, 
Information Sciences Institute University of Southern California, 1998 


«ISPs: Filter spoofed IP traffic through your networks» CERT Advisory CA-1996-21 
TCP SYN Flooding and IP Spoofing Attacks 


SYN cookies: idea 7 days after attack, implementation - 1 month later Daniel J. 
Bernstein, Eric Schenk 
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Mechanism of SYN-Cookies 
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State changes to 


Encodes client information 


SYN-SENT into a cookie (ISN) 
(client IP, time, window, etc) 
SYN-ACK 
State changes to ACK 
ESTABLISHED with a cookie 


Checks cookie 
If verified 


State changes to 
ESTABLISHED 


https://datatracker.ietf.org/doc/html/rfc6013 


2000: MafiaBoy Shuts Down Top Sites 


clY amazon.com 


1-2 attack/day, 8 days' duration 
~800Mbps (Buy.com) attack bandwidth 
university hosts traffic sources 


Source: Google 


2000: MafiaBoy Shuts Down Top Sites 


gd amazon.com 


The president and his key national security advisors today B U y. C O m Y "AFIOO! 
will meet with top industry executives to discuss ways to 


jumpstart the administration's Internet security initiatives 


summit 


1-2 attack/day, 8 days' duration 


~800Mbps (Buy.com) attack bandwidth 
university hosts traffic sources 


2006: Amplification Attacks 


The Continuing DoS Threat Posed by DNS Recursion, US CERT 2005 
2.4Gbps peak, 14 minutes attack on TLD 


spoof IP 30Mbps 600Mbps 
in DNS query — 
30Mbps 600Mbps 
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2006: Amplification Attacks 


The Continuing DoS Threat Posed by DNS Recursion, US CERT 2005 
2.4Gbps peak, 14 minutes attack on TLD 


spoof Victim's IP 
in DNS query 


Victim's IP 
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2007-2010: DDoS Hacktivism 


Source: Wikimedia 
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Welcome to Slowloris - the low bandwidth, yet greedy and poisonous HTTP client 
sage: 


perl C:NUsers Rl Desktop\slowloris.pl -dns [www.example.com] -optio 


Type ‘perldoc C:\Users\® wmRIE.DesktopNslowloris.pl' for help with optio 


:MUsers V thai Hi Desktop» 
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2010-2016: Attacks on Sony. 
Spamhaus. The Evolution of Protection 
Methods 
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2011-2014: Troubles of Sony 


Source: Daily Mirror 


2011-2014: Troubles of Sony 


2011: hacking under the cover of a DDoS attack 


annual attacks on the PlayStation Network GAMES 
2014: hacking under the cover of a DDoS attack Sony Pegs PSN Attack Costs at 
hacked routers as part of a botnet $170 Million, $3.1B Total Loss 


~100..125Gbps possible attack's bandwidth for 2011 


Our current power stands at 100-125Gbps average with a total network of 600Gbps! 
VPNs are blocked through the payment system, please take them off for the next step! 


A Dashboard 


A Stresser You already have a package! Buying again will overwrite your current package and will not give you concurrents/more attacks at once! 


Source: Forbes, Krebs On Security 


2013: Attacks on Spamhaus 


Poe 75..90Gbps first attack's bandwidth 
; E ~300Gbps maximum bandwidth 
e = DNS Amplification method 
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Bl Inbound Current: 53.01 G Average: 46.82 G Maximum: 118.52 G 
M Outbound Current: 49.63 G Average: 57.51 G Maximum: 80.33 G 
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@ Total Amplificators Count @ Cumulative Amplification Potential 


Source: Cloudflare, Qrator.Radar Network Scanner 


2010-2016: Development of Protection 
Services 
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Customer On- Protection at Distributed 
Premises ISP Filtering 
Networks 


Equipment 


2016-2018: Mirai. Terabit Attacks. 
Buter Services 
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2016: Mirai and "DDoS from the Kettle" 


20.09 KrebsOnSecurity 


. Attack e Attacks Targets Class 
620Gbps bandwidth = : 
HTTP flood 2,736 1035 A 
= , UDP-PLAIN flood 2,542 1,278 V 
145K bots count UDP flood 2,440 1,479 V 
ACK flood ZI 35 S 
SYN flood 1,935 764 S 
GRE-IP flood 994 587 A 
ACK-STOMP flood 830 359 S 
VSE flood 809 550 A 
DNS flood 417 173 A 
GRE-ETH flood 318 210 A 


Table 9: C2 Attack Commands — Mirai launched 15,194 at- 
tacks between September 27, 2016—February 28, 2017. These 
include [A ]pplication-layer attacks, [V Jolumetric attacks, and 
TCP [S]tate exhaustion, all of which are equally prevalent. 


Source: https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf 


2016: Mirai and "DDoS from the Kettle" 


2 0 ; D 9 Kre b S Q n S e C u ri ty 4 EM T Attack Type Attacks Targets 


Class 
: Last days, we got lot of huge DDoS. Here, the list of HTTP flood 2,736 1035 A 
6 2 D G b ps b an d WI dth "bigger that 100Gbps" only. You can see the UDP-PLAIN flood 2,542 1278 V 
simultaneous DDoS are close to 1Tbps ! UDP flood 2,440 1479 V 
" ETT ACK flood 2,173 8755 S 
xd 1 4 5 K bots C O u nt log /home/vac/logs/vac.log-last | egrep "PpPS\|.ssssssssssss SYN flood 1,935 764 S 
bps" | awk '{print $1,$2,$3,$6}' | sed "s/ /|/g" | cut -f GRE-IP flood 994 587 A 
dnm» Pur Gui PM CRAT Y TA ACK-STOMP flood 830 — 359 S 
rep "gone" | sed "s/gone|//" ERTZE VSE flood 809 550 A 
Sep|18|10:49:12|tcp_ack|20Mpps |232Gbps DNS flood 417 173 A 
Sep|18|10:58:32|tcp_ack|15Mpps|173Gbps 
2 O f 09 OVH Sep|18|11:17:02|tcp_ack|19Mpps |224Gbps GRE-ETH flood 318 210 A 


Sep|18|11:44:17|tcp_ack|19Mpps|227Gbps 


Sep|18|19:05:47|tcp_ack|66Mpps|735Gbps b E 
Sep|18|20:49:27|tcp_ack|81Mpps | 360Gbps Table 9: C2 Attack Commands— Mirai launched 15,194 at- 


LI 

— 990Gb ps bandwidth Sep |18|22:43:32| tcp ack|11Mpps | 136Gbps tacks between September 27, 2016-February 28, 2017. These 
Sep|18|22:44:17|tcp_ack|38Mpps|442Gbps > z d T : 
Sep|19|10:13:57|tcp. ack|10Mpps |117Gbps include [A]pplication layer attacks, [V]olumetric attacks, and 
Sep|19]11:53:57|tcp_ack|13Mpps|159Gbps TCP [S]tate exhaustion, all of which are equally prevalent. 
Sep|19[11:54:42|tcp ack|52Mpps|607Gbps 
Sep|19|22:51:57|tcp ack|10Mpps|115Gbps 

2 1 1 O D n ? Sep|20|@1:40:02|tcp_ack|22Mpps|191Gbps 

n y D Sep|20|01:40:47|tcp_ack|93Mpps|799Gbps 

Sep|20|01:50:07|tcp ack|14Mpps|124Gbps 
Sep|20|01:50:32|tcp ack|72Mpps|615Gbps 
Sep|20|03:12:12|tcp ack|49Mpps|419Gbps 
Sep|20|11:57:07|tcp ack|15Mpps|178Gbps 
Sep|20|11:58:02|tcp ack|60Mpps|698Gbps 
Sep|20|12:31:12|tcp ack|17Mpps|201Gbps 
Sep|20|12:32:22|tcp ack|50Mpps|587Gbps 
Sep|20|12:47:02|tcp ack|18Mpps|210Gbps 
Sep|20|12:48:17|tcp_ack|49Mpps|572Gbps 
Sep|21|05:09:42|tcp_ack|32Mpps|144Gbps 
Sep|21|20:21:37|tcp ack|22Mpps|122Gbps 
Sep|22|00:50:57|tcp ack|16Mpps|191Gbps 
You have new mail in /var/mail/root 


Source: https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf 


2016: DDOS as a service? Yes, long ago. 


How do | purchase a vDos plan? 


Purchasing a booter plan is easy and only takes a few minutes, we accept the following payment methods 
based on your billing country/region and the currency in which you want to pay to make it an easy, secure and 


à quick shopping experience for you 


D Bitcoin. we believe in the huge potential of this new digital currency 


Select the best package based on your usage needs and size of business 


19.99 "29.99 "39.99 199.99 


/^monthly /monthiy /monthiy /monthly 


Source: are you serious?! 


2018- : Memcached, Hybrids, Meris, 
New Protocols 


We're 


1994 


2018: Memcached Amplification 
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2018: Memcached Amplification 


Mitigation 


Disable UDP 


For memcached servers, make sure to disable UDP support if you do not need it. UDP is disabled by default on versions 1.5.6 


"=" Disable UDP 


Disable UDP 


and later. 


Source: Github 


2019: TCP SYN-ACK Amplification 


300+Gbps 
215+Mpps 
12 hours’ 


Source: Servers.com, Qrator 
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2019: TCP SYN-ACK Amplification 


24 Memcached 36855 
e Teen n 
23 | B CLDAP — 214027 
95.3 CHARGEN | 601599 
T QOTD 863435 
3-5x amplification factor 5» -— s. d €— 
15 NTP 8639889 
10^ 7 potential count of amplifiers 29 kN Netbios 9647679 
14.4 Portmap 10284769 
24 m3 SNMP — 14340420 
a E SSDP — 23591021 
AN n E Sebe Ga 
TOTAL 
Average 
amplification Absolute count 
factor 


Source: Qrator 


2019: Amplifiers’ Check 


Providers 9 
Customers 3 EXPORT 
Peerings 859 
Unspecified 1 
Prefixes 267 ALL(0) ICMP (0) DNS(0) NTP(0) SNMP(0) SSDP(0) CHARGEN (0) QOTD(0) NETBIOS(0) RIPv1(0) PORTMAP (0) 
IPv6 Connectivity E 
MEMCACHED (0) CLDAP (0) QUAKE3(0) STEAM (0) CoAP (0) 
Providers 
Customers Type Server IP Coefficient First seen Last seen Status 
Peerings 
Unspecified DNS 31.28 2022-06-15 13:08:27 2022-12-05 08:25:08 Active 
Prefixes 
DNS 31.28 2022-11-28 09:26:07 2022-11-30 17:50:42 Archive 
Security Issues : 
DNS 31.28 2022-10-19 12:14:40 2022-10-25 23:23:24 Archive 
Route Leaks 3126 
b DNS 31.28 2022-09-08 23:37:46 2022-09-13 12:01:56 Archive 
Hijacks 118 
Bogons 81 
Routing Loops 38 


Vulnerable Ports 1 


DDoS amplifiers 2 


Source: https://radar.qrator.net 


2021: Meris on MikroTik Routers 


21,8Mrps Yandex 2021 
17,6Mrps Cloudflare 2021 


Timestamp 


Source: Yandex 


2021: Meris on MikroTik Routers 


21,8Mrps Yandex 2021 l 
17,6Mrps Cloudflare 2021 
46Mrps Google 2022 
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E | Te e — x 
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| Pred utilized in Meris botnet 


| | 
Open scanner About Meris 
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Source: Yandex, Google Cloud, Qrator.Radar 


New Protocols- New Challenges 


2017 H2DoS Xiang Ling, Chunming Wu, Shouling Ji, Meng Han 


2017 HTTP/2 Tsunami: Investigating HTTP/2 proxy amplification DDoS attacks 
David Beckett, Sakir Sezer 


2019 CVE-2019-9511..9518 Netflix security bulletin [1] 


[1] https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md 


New Protocols- New Challenges 


2017 H2DoS Xiang Ling, Chunming Wu, Shouling Ji, Meng Han 


2017 HTTP/2 Tsunami: Investigating HTTP/2 proxy amplification DDoS attacks 
David Beckett, Sakir Sezer 


2019 CVE-2019-9511..9518 Netflix security bulletin [1] 
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multiplexing constantly opened compressing headers 
connections 


[1] https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md 


New Protocols- New Challenges 


Multiple Streams mm» 
Frames mm 


Frames Again! 


Multiple Streams 
Frames 


One Stream mm 


QUIC traffic looks an awful lot like DoS 
traffic 


CPU overhead 


Threats to 


HTTP/3 


Ossification inside the box 


Necessary middleboxes 


Source: Mike Bishop, Akamai https://github.com/HTTPWorkshop/workshop2019/blob/main/talks/bishop-HTTP3-Thinking.pdf 
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QUIC traffic looks an awful lot like DoS 
traffic 


Threats to 


HTTP/3 
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Necessary middleboxes 


Source: Mike Bishop, Akamai https://github.com/HTTPWorkshop/workshop2019/blob/main/talks/bishop-HTTP3-Thinking.pdf 


Source: Youtube 


What did we understand? 


O 


Most DDoS methods will not be 
new methods come, siet Ga eios 
fixed" without changes in 


the old ones do not go away. protocols, and this is decades. 


Recommendations do not help, ED Improving the quality of life making 
unlike the proactive measures. IK the "quality" of attacks better 
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Leave your feedback! Thank you for 


You can rate the talk and 
give feedback on what 
you've liked or what could 
be improved 
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